R

Ad Bezemer

a.t.bezemer@rf.rabobank.nl

How to secure an IntranetPKI case study

R

Topics

• Rabobank

• Why Rabobank needs PKI

• Directory Implementation

• PKI implementation

• Authorisation

• Further uses of PKI

• Lessons learned

R

Rabobank Group

• Rabobank Coöperative bank

–Largest dutchretail bank

–1500 branch offices, 50.000 employees

–Largest Internet bank in Europe

• Interpolis Insurance and pensions

• De Lage Landen Leasing, Trade Finance

• Robeco Asset Management, Investment funds

R

Thanks to ICT the Rabobank handles 7,000,000 customer financial transactions

R

Topics

• Rabobank

• Business need for PKI

• Implementing an Enterprise Directory

• Implementing a PKI

• Further uses of PKI

R

What is PKI

• 1998: PKI hype cures everything

• 2000: PKI illusion is expensive and brings nothing

• 2002 PKI if there is a business need

R

Why does Rabobank need PKI

• Banking business changes

–From transaction from a branch office

–To transactions anytime anywhere

• Type of application changes

–From local applications with defined external interfaces

–To distributed applications accessed anytime anywhere

• Role of security changes:

–From protecting business

–To enabling business

R

Application landscape in 1997

• Many applications (>200)

• Data in different places

• Different architectures:

–Specific hardware

–Terminal emulation

–PC applications

–Client server applications

R

New application Architecture

• Started 1997

• Supports different and new distribution channels

• All data centralised

• Intranet based

• RaboWeb development started

R

RaboWeb needs infrastructure

• Rabobank started to develop RaboWeb

• Philosophy: make use of the internet developments internally

• This raises a number of questions:

–Authentication

–Authorisation

–Integrity

• To provide answers to these questions the RaboWeb Security program was started

R

RaboWeb security

• Problem:

–Many systems for authorisation

–A lot of maintenance

–Higher security is needed

–30000 users

–100+ applications

• Questions:

–Uniform authorisation, roll-based

–Accommodate highly secure applications

–Financial transactions on RaboWeb

–Improved security in PC access.

R

RaboWeb security plan

• How to reach the goals?

• Research started 1997

–Request for Information

–6 vendors

–0 solutions

–1 roadmap

R

RaboWeb security Roadmap

• Goals are reached by

–Implement authorisation middleware

–Implement central Directory

–Implement PKI

–Use PKI as a uniform security infrastructure

• Use standards

• No specials

R

Major functions RaboWeb security

authentication

registration

authorisation

[who is this][who has access to up to which amount]

[store of information,]

[ secure /comm.]

log & audit

[who has performed what]

R

RaboWeb Security

• Development started 1998

• Major functions

–Registration Central Directory

–Authentication PKI

–Authorisation Role based

R

Central Directory Overview

• Central Master server for maintenance

• Slave servers for queries; access via LDAP

• Every object has a unique key: RabobankID

• Started with X500 product on NT platform

–Gave performance problems with >20000 users

• Migrated in 2001 to OpenLDAP

• Migration took 6 weeks

• Standardise on LDAP V3.

R

Directory serverresponsetime

0

10

20

30

406:

01:5

1

6:42

:30

7:23

:12

8:04

:41

8:46

:34

9:31

:53

10:1

4:58

11:0

0:48

11:4

2:58

12:2

2:20

13:0

1:23

13:4

0:13

14:2

0:37

14:5

9:36

15:4

0:29

16:2

0:41

17:0

4:42

17:4

4:56

Seco

nds

DS-old(31-10) DS-New(09-11)

R

Central Directory Current status

• 33000 Users in Directory

• Users are replicated to Windows NT and Exchange

• Authorisations are stored as a user attribute

• Synchronisation with Active Directory in development

R

PKI Overview

• Logical CA is started for every group member

• No hierarchy

• Start with signing certificate

• Encryption certificate will follow

• Started withXCert CA

• Xcertacquired by RSA in 2001

• Now upgrading to KEON CA 6.01

–compatible with Windows 2000

R

PKI Current status

• Operational since November 2000 for Large customers

–access via SSL-3 over Internet

• In test for use by employees of local banks

R

PKI Issues and challenges

• CRL lifetime

• CA Certificate lifetime

• CA rollover

• Certificate publishing in external Directory

• Version upgrades

• High availability is difficult

• Integration with Windows2000

• Detection of expiring certificates

R

Smartcard Overview

• Two factor authentication

–Possession of the card

–Knowledge of the PIN

• Local issuing of cards

• Datakey 330 card

• Key generation on card

• Supports PKCS and Crypto API

• Compaq keyboard with reader

• No USB

R

Smartcard Current status

• Operational for large customers

• In test for local banks with Windows 95

• Migration to XP starts December 2002

–smartcard logon obligatory

• Use for digital signatures:

–Standards not always standard

–Isolate use ofcrypto middlewarefrom application

R

Smartcard Issues and challenges

• Issuing process

–To be issued within 5 minutes

• Integration with Terminal Server

• Secure PIN entry

• Performance

• Two readers on Windows 95

• Supports for more than one certificate

• Offline authentication

–now in research with Vasco

R

Authorisation overview

• Role based authorisation

Dept. User Role Function

management organisation application

management Management

R

Authorisation Technical details

• First implementation based on signed cookies

–Roles implemented as NT groups

• Second version integrates with Directory and PKI

–Roles from Directory

–Cookies issued in SSL-3 session

• 60+ applications are operational

• In progress implementation of new roles

R

Authorisation Issues and challenges

• Availability is major issue

• Products are available IBM, Baltimore, RSA etc.

• No standards yet

• Wait for standards

–Attribute certificates?

–SAML?

R

PKI Example

Directory Directory Service (LDAP)Service (LDAP)

Name:XRaboID YName:XRaboID Y

111011110001

000111101111

“Normal” workstation“Normal” workstation

Local bank

111011110001

000111101111

“Normal” workstation“Normal” workstation

Customer location

111011110001

000111101111

Internet

Use of smartcard for Authentication en authorisationRaboWebRaboWebApplicationsApplications

RaboWeb

1: Make RWA connectionwith http://appl.rabobank.nl

PKI PKI GatewayGateway

CRL

2b: Make SSL connectionto https://gateway/app

2a: Ask client for theright certificate

3: Make RWA connectionwith http://appl.rabobank.nl

R

Further use of PKI

• Secure mail

• VPN

• Secure PIN entry

• PC Logon

• Comptible with outlook

• Compatible with Cisco

• Compatible with Digipass 850

• Compatible with Windows 2000

R

Lessons learned

• Do an RFI

–Make requirements clear

–Paper is patient

–Do a pilot

–Also test support

• Use standards

–Even if you get less functionality

–Even then there are differences